CAA Record Helper

By SSLMate

About CAA

There are over 100 organizations, called certificate authorities, that can issue SSL certificates which vouch for the identity of your domain. If a certificate authority misbehaves and gives an attacker a certificate for your domain, the attacker can impersonate your website and intercept the data of your visitors.

If you're like most domain owners, you get your certificates from only a handful of certificate authorities. CAA (Certificate Authority Authorization) is a type of DNS record that lets you declare which certificate authorities you actually use, forbidding the others from issuing certificates for your domain.

Here are some reasons for you to use CAA:

Setting up CAA is easy. Use the handy CAA generator to check off the certificate authorities which you authorize. Then publish the generated DNS records in your domain's DNS. Your domain needs to be hosted with a DNS provider that supports CAA. Fortunately, many major DNS providers now support CAA.

CAA is an IETF standard defined by RFC 8659. As of September 8, 2017, all public certificate authorities are required to respect CAA records. Before issuing a certificate for a domain, they must check the domain for CAA records, and refuse to issue if the CAA record set doesn't authorize them. (If there is no CAA record, they are allowed to issue.)

CAA and Sub-domains

The CAA record set for a domain also applies to all sub-domains, unless the sub-domain has its own CAA record set.

For example, before a certificate authority issues a certificate for www.example.com, it will query domains for CAA record sets in the following order, and use the first record set it finds:

  1. www.example.com
  2. example.com

CAA and CNAME

If a domain name is a CNAME (also known as an alias) for another domain, then the certificate authority looks for the CAA record set at the CNAME target (just like any other DNS lookup). If no CAA record set is found, the certificate authority continues searching parent domains of the original domain name.

For example, if blog.example.com is a CNAME for blogprovider.example, then the certificate authority looks for CAA record sets in the following order:

  1. blogprovider.example
  2. example.com

As with other DNS record types, it is not possible for a domain name to have both a CNAME and a CAA record.

Limitations

A certificate authority that goes rogue or is totally compromised can issue a certificate for your domain regardless of what CAA says. Also, DNS records can be spoofed by a powerful attacker to trick a certificate authority into thinking that it is authorized.

However, in practice CAA would have protected domain owners from many of the recent security vulnerabilities in certificate authorities. Publishing a CAA policy is a very sensible security measure despite its limitations.

For added protection, use a Certificate Transparency monitor such as Cert Spotter to alert you if a certificate is issued that violates your CAA policy.